Countdown to 7 April: hackers struggle to get iCloud threats straight

Threats made last week that hundreds of millions of iCloud accounts would be wiped if hackers were not paid a ransom appear unclear as the group struggles to keep its story straight and security professionals dish dirt on its claims.

The hacker’s claims could have massive consequences, if they are actually true

Confusion abounds over the iCloud hack as 7 April draws closer. Security experts are increasingly doubtful whether the claims made by a group known as the Turkish Crime Family are at all legitimate. Furthermore, the group's claims seem to grow all the more inconsistent as time passes as reports come in of other scams leveraging the chaotic publicity of the incident.

Last week a group calling itself the Turkish Crime Family claimed that it had access to hundreds of millions of iCloud accounts, which it would reset on 7 April if it did not receive a ransom payment of tens of thousands of dollars from Apple.

The mammoth claims of the hackers were largely treated with suspicion, but did not fail to raise the eyebrows of many in the security industry.

David Kennerley, director of threat research at Webroot, told SC, “If this is proven to be a legitimate breach the consequences for Apple and its millions of users would be far reaching.”

He added: “There's a lot of questions that need to be answered such as, do these hackers really have access to the data they claim? How did they get hold of such a large amount of data? Was it a vulnerability in Apple's infrastructure or breach of a third-party tool or organisation?”

The group's claims have been scrutinised even further in the wake of the announcement. Security researcher Troy Hunt thinks the group is probably reusing credentials from other large dumps and attempting to extort Apple with it.

Apple agrees. The tech giant released a statement to SC Media last week: "There have not been any breaches in any of Apple's systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”

Paul Calatayud, chief technology officer at FireMon, told SC he believes “these claims are accurate, but also [were] most likely not caused by Apple”.

For example, added, Calatayud, “If my e-mail account happens to be from Yahoo, and that account is affected by the breach that just occurred, then there is a chance that the attackers are already able to compromise other accounts I hold such as my Apple ID.”

Shuman Ghosemajumder, CTO of Shape Security, told press he thought that the group were using “credential stuffing attacks”. By taking the data from a large breach and throwing an untold bounty of password/username combinations at Apple accounts, “the family” may end up with enough cracked accounts to pose a significant threat.

Meanwhile, the group has had a hard time putting out a clear message. It was first reported that the group were holding hundreds of millions of iCloud accounts to ransom for US$75,000 (£60,000). The group later told press that it had been upped to US$150,000 (£120,000). An email to press a couple of days later said that the group wanted US$100,000 (£80,000) in bitcoins each for the seven members of the group, or alternatively, US$1 million (£804,000) of iTune vouchers.

The number of accounts the group was capable of wiping also seems to be unclear. The first disclosure said that the group was in possession of 519 million sets of credentials for which the group threatened to wipe 220 million accounts. The number of credentials then jumped to 627 million and then 717 million. The latest message said the group is in possession of “800 million iCloud accounts”.

Media outlets which reached out to the group's Twitter account were sent a succession of messages detailing different information. The first message simply answered a number of questions that several reporters had already asked.

A message the next day attempted to correct the previous email: “If you've spoken to somebody on this Twitter account it was one of our media members that is no longer with us due to a little inaccuracy and lack of professionalism.”

A third message appeared several days later from another person claiming to handle media relations for the group. The group has now disavowed the claim that iCloud was breached as “there's no proof for either party”. Instead the email asserts that another Apple product was breached. No further detail is provided as to what product that might be.

It has not been verified whether any of these parties claiming to represent the group are legitimate but what is clear is that confusion reigns when trying to establish a clear picture of what the Turkish Crime Family wants and what its threatening.

There have also been reports of “Windows tech support” style scams, leeching off the publicity that has surrounded the incidents. Such scams typically involve a phone call from someone pretending to be defending from an attack, or fixing a problem with a computer or account.

Intimate knowledge of the recipient's credentials or personal details often con people into thinking the caller is legitimate. Prospective victims are then asked to either give away important information or make changes on their computer, which often gives the con artists access.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.